In the Claims 

Claims remaining in the application are as follows: 

1. (Currently amended): A computer-implemented method comprising: 
observing communication between a plurality of devices; and 

inferring a respective state of at least one device of the plurality of devices based upon 
the observing the communication. 

2. (Original): The method of claim 1 wherein 

the inferring is performed without sending a packet to the at least one device. 

3. (Original): The method of claim 1 wherein 

the inferring is performed without participating in the communication with the at least 
one device. 

4. (Original): The method of claim 1 wherein 

the inferring is performed only by listening to the communication with the at least one 
device. 

5. (Original): The method of claim 1 further comprising: 

setting a designation for a first device of the plurality of devices to a threat when 
the first device receives a packet and 
the respective state of the first device is unfulfilled. 

6. (Original): The method of claim 5 further comprising: 

changing the designation for the first device to a non-threat when subsequent 
communication initiated by the first device does not violate a rule for the 
communication. 

7. (Original): The method of claim 1 further comprising: 

setting a designation for a first device of the plurality of devices to a possible threat 
when 

-Page 2 of 1 8- Serial No. 1 0/676,541 

March 23, 2007 



the communication is initiated by the first device, and 

the communication initiated by the first device violates a rule. 

8. (Original): The method of claim 7 further comprising: 

changing the designation for the first device to a non-threat when subsequent 

communication initiated by the first device does not violate a second rule for the 
communication. 

9. (Original): The method of claim 1 further comprising: 

setting a designation for a first device of the at least one device to a possible threat 

based upon a packet configuration for a packet sent by the first device as part of 
the communication. 

10. (Original): The method of claim 1 wherein 

the respective state of a first device of the at least one device is determined to be 
unknown. 

1 1 . (Original): The method of claim 1 0 wherein 

the respective state of the first device is determined to be unknown when the observing 
the communication comprises 

observing that the first device fails to respond to the communication sent to the 
first device. 

12. (Original): The method of claim 1 wherein 

the respective state of a first device of the at least one device is determined to be 
unfulfilled. 

1 3. (Original) The method of claim 1 2 wherein 

the respective state of the first device is determined to be unfulfilled when the 
observing the communication comprises 

observing an address resolution protocol request comprising a destination 

address for the first device, and 
observing that the first device does not respond to the address resolution 

protocol request prior to expiration of a time limit 
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1 4. (Original): The method of claim 1 2 wherein 

the respective state of the first device is determined to be unfulfilled when the first 
device receives an address resolution protocol request. 

15. (Original): The method of claim 1 wherein 

the respective state of a first device of the plurality of devices is determined to be used. 

1 6. (Original): The method of claim 1 5 wherein 

the respective state of the first device is determined to be used when the observing the 
communication comprises 

observing that the first device performs one of sending and receiving a packet. 

1 7. (Original): The method of claim 1 5 wherein 

the respective state of the first device is determined to be used when the observing the 
communication comprises 

observing that the first device received a packet when the respective state for 

the first device was unfulfilled, and 
observing that the first device sent a reply to the packet within a time limit. 

18. (Original): The method of claim 1 wherein 

the respective state of a first device of the plurality of devices is determined to be 
virtual. 

19. (Original): The method of claim 18 wherein 

the respective state of the first device is determined to be virtual when the observing 
the communication comprises 

observing that the first device received a packet when the respective state for 

the first device was unfulfilled, and 
observing that the first device did not send a reply to the packet within a time 

limit. 

20. (Original): The method of claim 1 wherein 

the respective state of a first device of the plurality of devices is determined to be 
automatic. 
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21 . (Original): The method of claim 20 wherein 

the respective state of the first device is determined to be automatic when 

an automatic reply is programmed to be sent to a second address when the first 
device receives a packet from the second address. 

22. (Original): The method of claim 1 wherein 

the respective state of the first device is determined to be omitted. 

23. (Original): The method of claim 22 wherein 

the respective state of the first device is determined to be omitted when 

the observing is programmed to omit communication with the first device from 
the observing. 

24. (Original): The method of claim 1 further comprising: 

initializing the respective state of at least one device of the plurality of devices to 
unknown prior to the observing. 

25. (Original): The method of claim 1 wherein 

the plurality of devices communicates via a segment of a network. 

26. (Original): The method of claim 1 further comprising: 

maintaining the respective state for one device of the at least one device in a storage 
area. 

27. (Original): The method of claim 1 wherein 

storing information about at least one packet of a plurality of packets communicated 
between the plurality of devices. 

28. (Original): The method of claim 27 wherein 

the information comprises a respective source address and a respective destination 
address for each packet of the plurality of packets. 

29. (Original): The method of claim 27 wherein 

the information comprises a protocol for each packet of the plurality of packets. 
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30. (Original): The method of claim 27 wherein 
the information comprises a time that each packet of the plurality of packets was sent. 

31 .(Currently amended): A system comprising: 
computer-readable media encoded with: 

observing means for observing communication between a plurality of devices; 
and 

inferring means for inferring a respective state of at least one device of the 
plurality of devices based upon the observing the communication. 

32. (Currently amended): The system of claim 31 further comprising: 
computer-readable media encoded with: 

determining means for determining that the respective state is unknown when the 
observing the communication comprises 

observing that the first device fails to respond to the communication sent to the 
first device. 

33. (Currently amended): The system of claim 31 further comprising: 
computer-readable media encoded with: 

determining means for determining that the respective state of the first device is 
unfulfilled when the observing the communication comprises 
observing an address resolution protocol request comprising a destination 

address for the first device, and 
observing that the first device does not respond to the address resolution 

protocol request prior to expiration of a time limit. 

34. (Currently amended): The system of claim 31 further comprising: 
computer-readable media encoded with: 

determining means for determining that the respective state of the first device is 

unfulfilled when the first device receives an address resolution protocol request. 

35. (Currently amended): The system of claim 31 further comprising: 
computer-readable media encoded with: 
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determining means for determining that the respective state of the first device is used 
when the observing the communication comprises 

observing that the first device performs one of sending and receiving a packet. 

36. (Currently amended): The system of claim 31 further comprising: 
computer-readable media encoded with: 

determining means for determining that the respective state of the first device is used 
when the observing the communication comprises 

observing that the first device received a packet when the respective state for 

the first device wais unfulfilled, and 
observing that the first device sent a reply to the packet within a time limit. 

37. (Currently amended): The system of claim 31 further comprising: 
computer-readable media encoded with: 

determining means for determining that the respective state of a first device of the 

plurality of devices is virtual when the observing the communication comprises 
observing that the first device received a packet when the respective state for 

the first device was unfulfilled, and 
observing that the first device failed to send a reply to the packet within a time 

limit. 

38. (Currently amended): The system of claim 31 further comprising: 
computer-readable media encoded with: 

determining means for determining that the respective state of the first device is 
automatic when 

an automatic reply is programmed to be sent to a second address when the first 
device receives a packet from the second address. 

39. (Currently amended): The system of claim 31 further comprising: 
computer-readable media encoded with: 

determining means for determining that the respective state of the first device is 
omitted when 
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the observing is programmed to omit communication with the first device from 
the observing. 

40. (Currently amended): The system of claim 31 further comprising: 
computer-readable media encoded with: 

initializing means for initializing the respective state of at least one device of the 
plurality of devices to unknown prior to the observing. 

41 . (Currently amended): The system of claim 31 further comprising: 
computer-readable media encoded with: 

maintaining means for maintaining the respective state for one device of the at least 
one device in a storage area. 

42. (Currently amended): The system of claim 31 further comprising: 
computer-readable media encoded with: 

storing means for storing information about at least one packet of a plurality of packets 
communicated between the plurality of devices. 

43. (Currently amended): A system comprising: 
a computer-readable medium encoded with: 

an observing module configured to observe communication between a plurality 
of devices; and 

an inferring module configured to infer a respective state of at least one device 
of the plurality of devices based upon the observing the communication. 

44. (Original): The system of claim 43 wherein the computer-readable medium is 
further encoded with furth e r compr i s i ng : 

a determining module configured to determine that the respective state is unknown 
when the observing the communication comprises 
observing that the first device fails to respond to the communication sent to 
the first device. 

45. (Original): The system of claim 43 wherein the computer-readable medium is 
further encoded with furth e r compr i s i ng : 
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a determining module configured to determine that the respective state of the first 
device is unfulfilled when the observing the communication comprises 
observing an address resolution protocol request comprising a destination 

address for the first device, and 
observing that the first device does not respond to the address resolution 

protocol request prior to expiration of a time limit. 

46. (Original): The system of claim 43 wherein the computer-readable medium is 
further encoded with furth e r compr i s i ng : 

a determining module configured to determine that the respective state of the first 
device is unfulfilled when the first device receives an address resolution 
protocol request. 

47. (Original): The system of claim 43 wherein the computer-readable medium is 
further encoded with furth e r compr i s i ng : 

a determining module configured to determine that the respective state of the first 
device is used when the observing the communication comprises 
observing that the first device performs one of sending and receiving a packet. 

48. (Original): The system of claim 43 wherein the computer-readable medium is 
further encoded with furth e r compris i ng : 

a determining module configured to determine that the respective state of the first 
device is used when the observing the communication comprises 
observing that the first device received a packet when the respective state for 

the first device wais unfulfilled, and 
observing that the first device sent a reply to the packet within a time limit. 

49. (Original): The system of claim 43 wherein the computer-readable medium is 
further encoded with furth e r compr i s i ng : 

a determining module configured to determine that the respective state of a first 
device of the plurality of devices is virtual when the observing the 
communication comprises 
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observing that the first device received a packet when the respective state for 

the first device was unfulfilled, and 
observing that the first device failed to send a reply to the packet within a 

time limit. 

50. (Original): The system of claim 43 wherein the computer-readable medium is 
further encoded with furth e r compr i s i ng : 

a determining module configured to determine that the respective state of the first 
device is automatic when 

an automatic reply is programmed to be sent to a second address when the 
first device receives a packet from the second address. 

51 . (Original): The system of claim 43 wherein the computer-readable medium is 
further encoded with furth e r compr i s i ng : 

a determining module configured to determine that the respective state of the first 
device is omitted when 

the observing is programmed to omit communication with the first device 
from the observing. 

52. (Original): The system of claim 43 wherein the computer-readable medium is 
further encoded with furth e r compris i ng : 

an initializing module configured to initialize the respective state of at least one 
device of the plurality of devices to unknown prior to the observing. 

53. (Original): The system of claim 43 wherein the computer-readable medium is 
further encoded with furth e r compr i s i ng : 

a maintaining module configured to maintain the respective state for one device of 
the at least one device in a storage area. 

54. (Original): The system of claim 43 wherein the computer-readable medium is 
further encoded with furth e r compr i s i ng : 

a storing module configured to store information about at least one packet of a 
plurality of packets communicated between the plurality of devices. 
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55. (Currently amended): A computer-readable medium encoded with a computer 
program comprising : 

observing instructions configured to observe communication between a plurality of 
devices; and 

inferring instructions configured to infer a respective state of at least one device of 
the plurality of devices based upon the observing the communication. 

56. (Original): The computer-readable medium of claim 55 further comprising: 
determining instructions configured to determine that the respective state is 

unknown when the observing the communication comprises 
observing that the first device fails to respond to the communication sent to 
the first device. 

57. (Original): The computer-readable medium of claim 55 further comprising: 
determining instructions configured to determine that the respective state of the first 

device is unfulfilled when the observing the communication comprises 
observing an address resolution protocol request comprising a destination 

address for the first device, and 
observing that the first device does not respond to the address resolution 

protocol request prior to expiration of a time limit. 

58. (Original): The computer-readable medium of claim 55 further comprising: 
determining instructions configured to determine that the respective state of the first 

device is unfulfilled when the first device receives an address resolution 
protocol request. 

59. (Original): The computer-readable medium of claim 55 further comprising: 
determining instructions configured to determine that the respective state of the first 

device is used when the observing the communication comprises 
observing that the first device performs one of sending and receiving a packet. 

60. (Original): The computer-readable medium of claim 55 further comprising: 
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determining instructions configured to determine that the respective state of the first 
device is used when the observing the communication comprises 
observing that the first device received a packet when the respective state for 

the first device wais unfulfilled, and 
observing that the first device sent a reply to the packet within a time limit. 

61 . (Original): The computer-readable medium of claim 55 further comprising: 
determining instructions configured to determine that the respective state of a first 

device of the plurality of devices is virtual when the observing the 
communication comprises 

observing that the first device received a packet when the respective state for 

the first device was unfulfilled, and 
observing that the first device failed to send a reply to the packet within a 

time limit. 

62. (Original): The computer-readable medium of claim 55 further comprising: 
determining instructions configured to determine that the respective state of the first 

device is automatic when 

an automatic reply is programmed to be sent to a second address when the 
first device receives a packet from the second address. 

63. (Original): The computer-readable medium of claim 55 further comprising: 
determining instructions configured to determine that the respective state of the first 

device is omitted when 

the observing is programmed to omit communication with the first device 
from the observing. 

64. (Original): The computer-readable medium of claim 55 further comprising: 
initializing instructions configured to initialize the respective state of at least one 

device of the plurality of devices to unknown prior to the observing. 

65. (Original): The computer-readable medium of claim 55 further comprising: 
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maintaining instructions configured to maintain the respective state for one device of 
the at least one device in a storage area. 

66. (Original): The computer-readable medium of claim 55 further comprising: 
storing instructions configured to store information about at least one packet of a 
plurality of packets communicated between the plurality of devices. 
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